Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

highjack log poptart3


  • Please log in to reply
20 replies to this topic

#1 poptart3

poptart3

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 November 2004 - 02:16 PM

Ran Ad-Aware SE 4 times, spybox search n destroy 2 times but I still getting malware. Could you all please look at my hijack log and see if I have anything else I need to delete out.

Thank you.


Logfile of HijackThis v1.98.2
Scan saved at 1:07:52 PM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CSBB\CSV7P70.exe
C:\WINDOWS\mcexp.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\SMARTP~1\SMARTP~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\prjtect.exe
C:\WINDOWS\System32\prjtect.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rick\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Redirect Class - {9516919A-9D32-4B17-BD14-2CE488599F65} - C:\Program Files\EE\EEF.dll
O2 - BHO: CATLEvents Object - {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6} - C:\DOCUME~1\Rick\LOCALS~1\Temp\pxecm.dat
O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P70.exe
O4 - HKLM\..\Run: [rjnmh] C:\WINDOWS\System32\cfyuoq.exe
O4 - HKLM\..\Run: [*mcexp] C:\WINDOWS\mcexp.exe
O4 - HKLM\..\RunOnce: [*mcexp] C:\WINDOWS\mcexp.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\syzajy.exe
O4 - HKCU\..\Run: [SmartSoftPopupKiller] C:\PROGRA~1\SMARTP~1\SMARTP~1.EXE /hidden
O4 - HKCU\..\Run: [prjtect] C:\WINDOWS\System32\prjtect.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\system\playw.exe ren time:1100406020
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {E4463A35-7E7A-4621-8248-91307AFA8EAD} - http://www.adtraffic.net/pr/icmedia404.cab
O20 - AppInit_DLLs: mad.dll

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 14 November 2004 - 04:44 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 14 November 2004 - 04:51 PM

Your system has a StopGuard infections.

If you have not rebooted since posting the HijackThis log above....then do not reboot. This infection will 'morph' on every reboot and change the names of the bad files.

If you have rebooted since posting the log, then please reboot normally, create a new HijackThis log, post it into a reply to this messge, and then don't reboot until I respond with a fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 poptart3

poptart3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 November 2004 - 06:08 PM

I have restarted the computer.....holding now though


Logfile of HijackThis v1.98.2
Scan saved at 5:06:11 PM, on 11/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CSBB\CSV7P70.exe
C:\WINDOWS\mcexp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Rick\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Redirect Class - {9516919A-9D32-4B17-BD14-2CE488599F65} - C:\Program Files\EE\EEF.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6} - C:\DOCUME~1\Rick\LOCALS~1\Temp\pxecm.dat
O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P70.exe
O4 - HKLM\..\Run: [rjnmh] C:\WINDOWS\System32\cfyuoq.exe
O4 - HKLM\..\Run: [*mcexp] C:\WINDOWS\mcexp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [*mcexp] C:\WINDOWS\mcexp.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E4463A35-7E7A-4621-8248-91307AFA8EAD} - http://www.adtraffic.net/pr/icmedia404.cab
O20 - AppInit_DLLs: mad.dll

#5 poptart3

poptart3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 November 2004 - 06:10 PM

Oh and I installed a new virus scanner.... that is reason for rebooting.

#6 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 14 November 2004 - 08:40 PM

post deleted by daveai...new fix will be posted shortly

Edited by daveai, 14 November 2004 - 08:42 PM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#7 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 14 November 2004 - 08:57 PM

poptart3 -- Thanks for sending your HijackThis log.

Here are the instructions for fixing StopGuard.

Please Print these instructions, you will not be able to access this page in safe mode.

1)Enable
'show all files'

2)Click Start
Run
Type in regedit
Click OK or Enter

Navigate to, and delete if found (in the left pane of Registry Editor) :
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

Close Registry Editor

If for some reason this does not work or is not permitted, do it as soon as you go into safe mode.

3)Now double-click on Killbox.exe to run it. In the drop down menu next to the yellow triangle scroll until you see
mcexp.exe and select it. Click the yellow triangle and click yes that you want to end task.
In the 'Paste Full Path of File to Delete' box, copy and paste this entry:
C:\WINDOWS\mcexp.exe


Next, click on the Action menu and choose "Delete on Reboot". Click the button with the red circle with a
white X in it. Close killbox.


4)As the machine boots back up from the killbox part of this fix boot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode

Run the Registry Edit here, if it didn't work in Normal Mode


5) Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.


R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media
\TvmBho.dll

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL

O2 - BHO: CATLEvents Object - {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6} - C:\DOCUME~1\Rick\LOCALS~1\Temp
\pxecm.dat

O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL

O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P70.exe

O4 - HKLM\..\Run: [rjnmh] C:\WINDOWS\System32\cfyuoq.exe

O4 - HKLM\..\Run: [*mcexp] C:\WINDOWS\mcexp.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [*mcexp] C:\WINDOWS\mcexp.exe rerun

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O20 - AppInit_DLLs: mad.dll


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


6)Delete the following files if they are still there:

If you do not know how to manually delete a file or folder, please ASK before attempting this fix

Use the Windows Search Function to locate and delete all instances of 'pxecm' and 'mcexp' and 'playw'



C:\WINDOWS\mcexp.exe <-- this file

C:\WINDOWS\System32\cfyuoq.exe <-- this file

mad.dll <-- this file (use 'Start > Search to find it)


C:\Program Files\ZEROPO~1\ < this folder (search for a directory that starts withtyhe characters "ZEROPO" and does not contain "~1" )

C:\Program Files\CSBB\ < this folder

C:\Program Files\TV Media\ < this folder



7)Empty your Temp folders as follows: This needs to be adjusted according to which OS you are dealing with

Open Internet Explorer. You'll get a Page not Found error, but that's normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK

Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty

Double check to see if the folder C:\DOCUMENTSandSETTINGS\Rick\LOCALSETTINGS\Temp is empty.
Empty your recyle bin

8)Reboot back into normal Windows and post a fresh HijackThis log. Once we fix the StopGuard infection, there are some final items I want to be sure are cleaned out.


Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#8 poptart3

poptart3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 November 2004 - 11:33 PM

ok how do I delete the files once i am in safe mode and have them checked on hijack ?

Thank you in advance for all your help

#9 DoughBoy

DoughBoy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 November 2004 - 11:53 PM

[edited]

Edited by cryo, 16 November 2004 - 03:33 PM.


#10 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 15 November 2004 - 12:02 AM

Thanks for the note.

The entries are deleted in HijackThis, by pressing the 'Fix' button.

Then, use Windows Explorer to locate and delete the files inthe next step.


Regarding DoughBoy's over-post into the fix, the CLSID in the O2 entry for:

O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL

is identified as a CoolWebSearch infection in the databases used for HijackThis log analysis.

I recommend that you delete the O2 entry AND the file.

Please let me know if you have additonal questions.

And, don't forget to send me a new HijackThis log after you complete the steps. There will probably be some final clean up to do.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#11 poptart3

poptart3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 November 2004 - 08:32 AM

thanks

#12 poptart3

poptart3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 November 2004 - 08:57 AM

Went through all the steps you put on here. The Mad.dll would not delete in safemode, said it was being used by something else but it was not a folder it looked like a page.

Again thank you for all your help, this page has surely been a life saver.

Here is the new Hijack you asked for.......

Logfile of HijackThis v1.98.2
Scan saved at 7:54:16 AM, on 11/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Rick\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Redirect Class - {9516919A-9D32-4B17-BD14-2CE488599F65} - C:\Program Files\EE\EEF.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E4463A35-7E7A-4621-8248-91307AFA8EAD} - http://www.adtraffic.net/pr/icmedia404.cab
O20 - AppInit_DLLs: mad.dll

#13 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 16 November 2004 - 12:38 PM

Thanks for the response.

Good job so far.

You are still infected by TV Media (including mad.dll in the O20 entry).

This one has been proving very difficult to remove, and I want to consult with some others before proceeding.

I'll be back as soon as possible, probably later this evening (it's morning where I am).


In the meantime, the 'easy way' just might work, so please try this:

Use 'Control Panel > Add/Remove Programs' to remove any of the following entries you can find on your system:

‘TV Media’,
‘TV Media Displayࢋ
‘MS T-Media Display’.


Then, reboot into safe mode and delete the folder called "C:\Program Files\TV Media"

Then, run HijackThis to create a new log and post it back here. Also, let me know what you found when you tried the steps above.


Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#14 DoughBoy

DoughBoy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 November 2004 - 01:16 PM

[Edited]

Edited by cryo, 16 November 2004 - 03:34 PM.


#15 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 16 November 2004 - 03:21 PM

DoughBoy -- Please stop over-posting into this thread.

I refer you to this link if you wish to help out here at Bleeping Computer:

http://www.bleepingcomputer.com/forums/t/2322/help-wanted/

And this policy statement which you can find at the top of this page:

PLEASE READ: Since this is an open forum it is possible you may receive advice on what to fix with HijackThis from inexperienced members. However well-intentioned that advice may be, please do not act on it until an Administrator, Moderator or member of the HJT Team posts to your Topic. Improper use of HijackThis or other Spyware Removal Tools can cause serious operating system damage to your computer.

If you are not a HJT Team member, please refrain from offering advice on what HJT entries to fix, as it can cause confusion.


Thank you for your cooperation.

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users